models/metadata.py in the pikepdf package 1.3.0 through 2.9.2 for Python allows XXE when parsing XMP metadata entries. Upstream patch: https://github.com/pikepdf/pikepdf/commit/3f38f73218e5e782fe411ccbb3b44a793c0b343a
Created python-pikepdf tracking bugs for this issue: Affects: fedora-all [bug 1946270]
*** Bug 1945364 has been marked as a duplicate of this bug. ***
Statement: This flaw does not affect any Red Hat shipped commercial products, as pikepdf is not currently shipped.
External References: https://github.com/pikepdf/pikepdf/blob/master/docs/release_notes.rst